[bestbits] IGF registration form completely unencrypted

Mon Sep 9 10:55:09 EDT 2013

Hi All

I am no techie but I have enquired with a coder and a sysadmin. The
HTTPS form is embedded in an IFRAME in the HTTP site, it is handled by
the browser as a seperate page, so SSL encryption should be intact.

So this was in fact a false alarm I guess.

Still a good idea to send people directly to the HTTPS so they can
know its an encrypted connection, and verify the identity of the site.

So I guess all is in order

(except for in browser SSL encryption in general being possibly
broken, but thats another story).

Kind regards,
Alex

...
Alex Comninos | doctoral candidate
Department of Geography | Justus Liebig University, Gießen
+49 179 554 7075 | Skype: alexcomninos5
http:// comninos.org | Twitter: @alexcomninos

On 9 September 2013 16:13, Alex Comninos <alex.comninos at gmail.com> wrote:
> Hi Bill
>
> Thanks for this swift reply.
>
> The HTTPS form looked familiar, I see that the HTTPS form
> (https://comanche.vervehosting.com/~wgig/igf/cms/wks2013/meeting_attendance_registration_2013_IGF.php)
> is actually embedded as an iframe in the HTTP page
> (http://www.intgovforum.org/cms/igf-2013-registration) - see the
> source excerpt below:
> ...
> <div class="contentpane">
> <div class="componentheading">
> Pre Registration IGF 2013 </div>
> <iframe id="blockrandom"
> name="iframe"
> src="https://comanche.vervehosting.com/~wgig/igf/cms/wks2013/meeting_attendance_registration_2013_IGF.php"
> width="100%"
> height="2070"
> scrolling="auto"
> align="top"
> frameborder="0"
> class="wrapper">
> This option will not work correctly. Unfortunately, your browser does
> not support inline frames.</iframe>
> </div>
> ...
>
> I am no techie but this should provide SSL encryption nonetheless?
>
> So it was encrypted after all I guess?
>
> Kind regards,
> Alex
> ...
> Alex Comninos | doctoral candidate
> Department of Geography | Justus Liebig University, Gießen
> +49 179 554 7075 | Skype: alexcomninos5
> http:// comninos.org | Twitter: @alexcomninos
>
>
> On 9 September 2013 15:59, William Drake <william.drake at uzh.ch> wrote:
>> Hi
>>
>> On Sep 9, 2013, at 3:10 PM, Alex Comninos <alex.comninos at gmail.com> wrote:
>>
>> On 9 September 2013 15:06, Robert Guerra <rguerra at privaterra.org> wrote:
>>
>> Someone correct me if I am wrong - but this isn't the first time the issue
>> of having an insecure registration site has been raised.
>>
>>
>> IGF 2011 had an http registration and I raised it then, 2012 utilised
>> HTTPS, I am not sure of the others.
>>
>>
>> Saw this message and shot the secretariat a note, since it's their site.
>> Chengetai's response is below.
>>
>> Cheers
>>
>> Bill
>>
>> —————
>>
>> From: Chengetai Masango <CMASANGO at unog.ch>
>> Subject: Re: [bestbits] IGF registration form completely unencrypted
>> Date: September 9, 2013 3:37:20 PM GMT+02:00
>> To: William Drake <william.drake at uzh.ch>
>> Cc: IGF <IGF at unog.ch>
>>
>> Hi Bill,
>>
>> We have an https link
>>
>>
>> https://comanche.vervehosting.com/~wgig/igf/cms/wks2013/meeting_attendance_registration_2013_IGF.php
>>
>> I will add the link to the form.
>>
>>
>> on the server side its all encrypted so that's fine.